4G/LTE - Core Network

 

 

 

 

GTP (GPRS Tunneling Protocol)

 

When a data is transferred from Radio Stack(eNB) to Core Network it goes through various Interfaces as illustrated in Figure 1 of Network Architecture and Interface page. When the data go through these interface, they get encapsulated by various tunnel protocol as in Figure 2 of Network Architecture and Interface page. GTP is a specific type of tunneling protocol by which U-plane data (user data) go through as illustrated below. In 3GPP, GTP is specified in 29.281.

NOTE : GTP is used mainly for data traffic between eNB/gNB and core network. The control message between eNB/gNB and core network is going through SCTP.

 

 

 

Following is the GTP Header format. User Data (usually IP data) is encapsulated by a GTP packet following this header as shown in example section.

 

< 3GPP 29.281 - Figure 5.1-1: Outline of the GTP-U Header >

 

 

Examples :

 

 

Example 1 >   

 

This example is from my test setup with Amarisoft Callbox. Usually it is running gNB and MME on the same PC (Callbox PC), but it has flexible architecture to allow the eNB/gNB to get connected to MME installed on another PC as shown below or even to any MME(e.g,live network MME) that support standard S1 or NG interface.

 

 

The situation is that UE(192.168.3.2)  perform DNS enquiry to google DNS Sever(8.8.8.8). In this situation, on gNB and MME both NAT(Network Address Translation) and GTP tunneing happens on both gNB PC and MME PC.

 

Following is the Wireshark log captured on MME PC. (NOTE : Since this log is captured on MME PC, it does not show exactly what's happening in gNB PC, but you may easily guess about the gNB PC procedure from this example)

 

 

The traffic between gNB and MME can be illustrated as below. Step (1) and Step (8) belong to this type of traffic.

 

 

 

The traffic between MME and Google DNS Server can be illustrated as below. Step (2) and Step (7) belong to this type of traffic.

 

 

 

(1) GTP <DNS>

 

Internet Protocol Version 4, Src: 10.0.0.185, Dst: 10.0.0.162

    0100 .... = Version: 4

    .... 0101 = Header Length: 20 bytes (5)

    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

        0000 00.. = Differentiated Services Codepoint: Default (0)

        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

    Total Length: 104

    Identification: 0x6736 (26422)

    Flags: 0x40, Don't fragment

        0... .... = Reserved bit: Not set

        .1.. .... = Don't fragment: Set

        ..0. .... = More fragments: Not set

    Fragment Offset: 0

    Time to Live: 64

    Protocol: UDP (17)

    Header Checksum: 0xbdf4 [validation disabled]

    [Header checksum status: Unverified]

    Source Address: 10.0.0.185

    Destination Address: 10.0.0.162

User Datagram Protocol, Src Port: 2152, Dst Port: 2152

    Source Port: 2152

    Destination Port: 2152

    Length: 84

    Checksum: 0xc92b [unverified]

    [Checksum Status: Unverified]

    [Stream index: 19]

    [Timestamps]

        [Time since first frame: 0.000000000 seconds]

        [Time since previous frame: 0.000000000 seconds]

    UDP payload (76 bytes)

GPRS Tunneling Protocol

    Flags: 0x34

        001. .... = Version: GTP release 99 version (1)

        ...1 .... = Protocol type: GTP (1)

        .... 0... = Reserved: 0

        .... .1.. = Is Next Extension Header present?: Yes

        .... ..0. = Is Sequence Number present?: No

        .... ...0 = Is N-PDU number present?: No

    Message Type: T-PDU (0xff)

    Length: 68

    TEID: 0x4f485cc3 (1330142403)

    Next extension header type: PDU Session container (0x85)

    Extension header (PDU Session container)

        Extension Header Length: 1

        PDU Session Container

            0001 .... = PDU Type: UL PDU SESSION INFORMATION (1)

            .... 0000 = Spare: 0x0

            00.. .... = Spare: 0x0

            ..00 0001 = QoS Flow Identifier (QFI): 1

        Next extension header type: No more extension headers (0x00)

Internet Protocol Version 4, Src: 192.168.3.2, Dst: 8.8.8.8

    0100 .... = Version: 4

    .... 0101 = Header Length: 20 bytes (5)

    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

        0000 00.. = Differentiated Services Codepoint: Default (0)

        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

    Total Length: 60

    Identification: 0x3663 (13923)

    Flags: 0x40, Don't fragment

        0... .... = Reserved bit: Not set

        .1.. .... = Don't fragment: Set

        ..0. .... = More fragments: Not set

    Fragment Offset: 0

    Time to Live: 64

    Protocol: UDP (17)

    Header Checksum: 0x3094 [validation disabled]

    [Header checksum status: Unverified]

    Source Address: 192.168.3.2

    Destination Address: 8.8.8.8

User Datagram Protocol, Src Port: 45843, Dst Port: 53

    Source Port: 45843

    Destination Port: 53

    Length: 40

    Checksum: 0x397b [unverified]

    [Checksum Status: Unverified]

    [Stream index: 20]

    [Timestamps]

        [Time since first frame: 0.000000000 seconds]

        [Time since previous frame: 0.000000000 seconds]

    UDP payload (32 bytes)

Domain Name System (query)

    Transaction ID: 0xb078

    Flags: 0x0100 Standard query

        0... .... .... .... = Response: Message is a query

        .000 0... .... .... = Opcode: Standard query (0)

        .... ..0. .... .... = Truncated: Message is not truncated

        .... ...1 .... .... = Recursion desired: Do query recursively

        .... .... .0.. .... = Z: reserved (0)

        .... .... ...0 .... = Non-authenticated data: Unacceptable

    Questions: 1

    Answer RRs: 0

    Authority RRs: 0

    Additional RRs: 0

    Queries

        www.google.com: type A, class IN

            Name: www.google.com

            [Name Length: 14]

            [Label Count: 3]

            Type: A (Host Address) (1)

            Class: IN (0x0001)

    [Response In: 939]

 

 

(2) DNS

 

Internet Protocol Version 4, Src: 10.0.0.162, Dst: 8.8.8.8

    0100 .... = Version: 4

    .... 0101 = Header Length: 20 bytes (5)

    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

        0000 00.. = Differentiated Services Codepoint: Default (0)

        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

    Total Length: 60

    Identification: 0x3663 (13923)

    Flags: 0x40, Don't fragment

        0... .... = Reserved bit: Not set

        .1.. .... = Don't fragment: Set

        ..0. .... = More fragments: Not set

    Fragment Offset: 0

    Time to Live: 63

    Protocol: UDP (17)

    Header Checksum: 0xea9c [validation disabled]

    [Header checksum status: Unverified]

    Source Address: 10.0.0.162

    Destination Address: 8.8.8.8

User Datagram Protocol, Src Port: 45843, Dst Port: 53

    Source Port: 45843

    Destination Port: 53

    Length: 40

    Checksum: 0xf283 [unverified]

    [Checksum Status: Unverified]

    [Stream index: 21]

    [Timestamps]

        [Time since first frame: 0.000000000 seconds]

        [Time since previous frame: 0.000000000 seconds]

    UDP payload (32 bytes)

Domain Name System (query)

    Transaction ID: 0xb078

    Flags: 0x0100 Standard query

        0... .... .... .... = Response: Message is a query

        .000 0... .... .... = Opcode: Standard query (0)

        .... ..0. .... .... = Truncated: Message is not truncated

        .... ...1 .... .... = Recursion desired: Do query recursively

        .... .... .0.. .... = Z: reserved (0)

        .... .... ...0 .... = Non-authenticated data: Unacceptable

    Questions: 1

    Answer RRs: 0

    Authority RRs: 0

    Additional RRs: 0

    Queries

        www.google.com: type A, class IN

            Name: www.google.com

            [Name Length: 14]

            [Label Count: 3]

            Type: A (Host Address) (1)

            Class: IN (0x0001)

    [Response In: 938]

 

 

(7) DNS

 

Internet Protocol Version 4, Src: 8.8.8.8, Dst: 10.0.0.162

    0100 .... = Version: 4

    .... 0101 = Header Length: 20 bytes (5)

    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

        0000 00.. = Differentiated Services Codepoint: Default (0)

        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

    Total Length: 76

    Identification: 0x1b01 (6913)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment Offset: 0

    Time to Live: 122

    Protocol: UDP (17)

    Header Checksum: 0x0aef [validation disabled]

    [Header checksum status: Unverified]

    Source Address: 8.8.8.8

    Destination Address: 10.0.0.162

User Datagram Protocol, Src Port: 53, Dst Port: 45843

    Source Port: 53

    Destination Port: 45843

    Length: 56

    Checksum: 0x03c6 [unverified]

    [Checksum Status: Unverified]

    [Stream index: 21]

    [Timestamps]

        [Time since first frame: 0.011497757 seconds]

        [Time since previous frame: 0.011497757 seconds]

    UDP payload (48 bytes)

Domain Name System (response)

    Transaction ID: 0xb078

    Flags: 0x8180 Standard query response, No error

        1... .... .... .... = Response: Message is a response

        .000 0... .... .... = Opcode: Standard query (0)

        .... .0.. .... .... = Authoritative: Server is not an authority for domain

        .... ..0. .... .... = Truncated: Message is not truncated

        .... ...1 .... .... = Recursion desired: Do query recursively

        .... .... 1... .... = Recursion available: Server can do recursive queries

        .... .... .0.. .... = Z: reserved (0)

        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server

        .... .... ...0 .... = Non-authenticated data: Unacceptable

        .... .... .... 0000 = Reply code: No error (0)

    Questions: 1

    Answer RRs: 1

    Authority RRs: 0

    Additional RRs: 0

    Queries

        www.google.com: type A, class IN

            Name: www.google.com

            [Name Length: 14]

            [Label Count: 3]

            Type: A (Host Address) (1)

            Class: IN (0x0001)

    Answers

        www.google.com: type A, class IN, addr 172.217.1.4

            Name: www.google.com

            Type: A (Host Address) (1)

            Class: IN (0x0001)

            Time to live: 44 (44 seconds)

            Data length: 4

            Address: 172.217.1.4

    [Request In: 933]

    [Time: 0.011497757 seconds]

 

 

(8) GTP <DNS>

 

Internet Protocol Version 4, Src: 10.0.0.162, Dst: 10.0.0.185

    0100 .... = Version: 4

    .... 0101 = Header Length: 20 bytes (5)

    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

        0000 00.. = Differentiated Services Codepoint: Default (0)

        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

    Total Length: 120

    Identification: 0x93c4 (37828)

    Flags: 0x40, Don't fragment

        0... .... = Reserved bit: Not set

        .1.. .... = Don't fragment: Set

        ..0. .... = More fragments: Not set

    Fragment Offset: 0

    Time to Live: 64

    Protocol: UDP (17)

    Header Checksum: 0x9156 [validation disabled]

    [Header checksum status: Unverified]

    Source Address: 10.0.0.162

    Destination Address: 10.0.0.185

User Datagram Protocol, Src Port: 2152, Dst Port: 2152

    Source Port: 2152

    Destination Port: 2152

    Length: 100

    Checksum: 0x15d0 [unverified]

    [Checksum Status: Unverified]

    [Stream index: 19]

    [Timestamps]

        [Time since first frame: 0.012275971 seconds]

        [Time since previous frame: 0.011631151 seconds]

    UDP payload (92 bytes)

GPRS Tunneling Protocol

    Flags: 0x34

        001. .... = Version: GTP release 99 version (1)

        ...1 .... = Protocol type: GTP (1)

        .... 0... = Reserved: 0

        .... .1.. = Is Next Extension Header present?: Yes

        .... ..0. = Is Sequence Number present?: No

        .... ...0 = Is N-PDU number present?: No

    Message Type: T-PDU (0xff)

    Length: 84

    TEID: 0xa968d0db (2842218715)

    Next extension header type: PDU Session container (0x85)

    Extension header (PDU Session container)

        Extension Header Length: 1

        PDU Session Container

            0000 .... = PDU Type: DL PDU SESSION INFORMATION (0)

            .... 0000 = Spare: 0x0

            0... .... = Paging Policy Presence (PPP): Not Present

            .0.. .... = Reflective QoS Indicator (RQI): Not Present

            ..00 0001 = QoS Flow Identifier (QFI): 1

        Next extension header type: No more extension headers (0x00)

Internet Protocol Version 4, Src: 8.8.8.8, Dst: 192.168.3.2

    0100 .... = Version: 4

    .... 0101 = Header Length: 20 bytes (5)

    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

        0000 00.. = Differentiated Services Codepoint: Default (0)

        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

    Total Length: 76

    Identification: 0x1b01 (6913)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment Offset: 0

    Time to Live: 121

    Protocol: UDP (17)

    Header Checksum: 0x52e6 [validation disabled]

    [Header checksum status: Unverified]

    Source Address: 8.8.8.8

    Destination Address: 192.168.3.2

User Datagram Protocol, Src Port: 53, Dst Port: 45843

    Source Port: 53

    Destination Port: 45843

    Length: 56

    Checksum: 0x4abd [unverified]

    [Checksum Status: Unverified]

    [Stream index: 20]

    [Timestamps]

        [Time since first frame: 0.012275971 seconds]

        [Time since previous frame: 0.012275971 seconds]

    UDP payload (48 bytes)

Domain Name System (response)

    Transaction ID: 0xb078

    Flags: 0x8180 Standard query response, No error

        1... .... .... .... = Response: Message is a response

        .000 0... .... .... = Opcode: Standard query (0)

        .... .0.. .... .... = Authoritative: Server is not an authority for domain

        .... ..0. .... .... = Truncated: Message is not truncated

        .... ...1 .... .... = Recursion desired: Do query recursively

        .... .... 1... .... = Recursion available: Server can do recursive queries

        .... .... .0.. .... = Z: reserved (0)

        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server

        .... .... ...0 .... = Non-authenticated data: Unacceptable

        .... .... .... 0000 = Reply code: No error (0)

    Questions: 1

    Answer RRs: 1

    Authority RRs: 0

    Additional RRs: 0

    Queries

        www.google.com: type A, class IN

            Name: www.google.com

            [Name Length: 14]

            [Label Count: 3]

            Type: A (Host Address) (1)

            Class: IN (0x0001)

    Answers

        www.google.com: type A, class IN, addr 172.217.1.4

            Name: www.google.com

            Type: A (Host Address) (1)

            Class: IN (0x0001)

            Time to live: 44 (44 seconds)

            Data length: 4

            Address: 172.217.1.4

    [Request In: 932]

    [Time: 0.012275971 seconds]

 

 

 

Reference :